It goes without saying that the business environment affecting all organizations is loaded with numerous, complex risks. And there is an overwhelming consensus from the executives we speak that the riskiness of the business environment is changing at significant levels for most, as evidenced by the performance, growth and reputation challenges in the financial services caused by failures in risk management and by the recent global economic downturn. And the civil unrest demonstrated over just over the past few weeks adds yet another new risk dimension.

So this leads to the question of why risk management has failed the financial industry. There are many reasons, far too many to cover here. Suffice it to say that failures are due more to human activity and inactivity, rather than the failures in complex risk models or technologies. For several years now, we've advocated a view of risk at an enterprise level. But even today, although most speak about increased attention to enterprise risk management (ERM) at Board levels, few firms appear to have the organizational prowess and human fortitude to put in place the policies, technologies, and processes to prove out the promise of ERM.

Over the last few weeks I've commented on the state of the ERM market though a couple a channels - a soon to be published editorial note with www.allaboutrisk.com and a web cast with Bank Systems and Technology and SAP. One of my key points is right in the title - Is there "proof or STILL promise" in ERM? I'm thinking that ERM could be the next GRC - nice in concept, but where's the value, and how are people measuring the value from their organizational, human capital, and technology investments. In general, I think the industry is still struggling with the definition of true Enterprise Risk Management, and the proof points/value propositions are still developing. ERM in terms of definition is still maturing, the market of solutions is still maturing, and through discussions we're having, naturaly we're finding firms at different places in ERM maturity.

So I'd like to suggest a simple maturity model (below) with four primary milestones to help the industry and individual firms gauge progress and value. The four milestones are REACTING, FILLING GAPS, RE-ARCHITECTING, OPTIMIZING, and we can use the guidence from other common maturity models to define what state a users might be in at each of these ERM milestones. In defining this guidence, keep in mind that the best, balanced ERM strategies will leverage, in my opinion, existing organizational and technical infrastructures with new capabilities and disciplines that display a few common attributes, including:

Improved risk data quality and connectivity to create more predictable outcomes for the financial enterprise and its customers, improve transaction efficiencies, and protect financial assets;

Advanced analytics and intelligence to reduce credit, market, and operational risk and expand and grow relationships with the customers segments that have the highest potential for profitability

Provide timely visibility, communications, and workflow for risk related events enterprise-wide, including support for flexible regulatory reporting, and

Maintain in a reliable, scalable and assured critical infrastructure to sustain service levels and allow institutions to excel operationally.

If you're interested in contributing to the development of an ERM Maturity Model, I'd welcome your input.